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A smart card for use in connection with execution of a 
software program by a computer includes a microcontroller 
configured by a program stored in a smart card memory to 
verify information received from the computer during 
execution of the software program. The microcontroller is 
further configured to cause a signal to be stored in the smart 
card memory which is indicative of whether execution of the 
software program is certified as valid based on results of 
verifying the received information. Methods of using the 
smart card are also disclosed. 
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VALIDATING AND CERTIFYING 
EXECUTION OF A SOFTWARE PROGRAM 
WITH A SMART CARD 

BACKGROUND OF THE INVENTION 

The invention relates generally to validating and certify- 
ing execution of a software program with a smart card. 

The proliferation of computers, including the personal 
computer, has allowed a wide variety of tasks and functions 
to be performed more efficiently and quickly. In addition, 
computers have provided a new mode for providing 
entertainment, for example, in the gaming industry, where it 
is occasionally desirable to validate results obtained by a 
consumer. The continued reliance on computer systems 
depends, in part, on the ability of persons using such systems 
to be assured that software programs being executed by the 
computer are, in fact, producing reliable results. This 
requires, among other things, that persons who wish to rely 
on results generated by a computer executing particular 
software are assured that the software has not been altered 
in an unauthorized manner. Situations can arise in which a 
software program has been altered or modified in an unau- 
thorized manner, yet the alteration or modification may not 
always be capable of being easily detection by the user of the 
program. Such unauthorized alterations can result, for 
example, in the program's producing erroneous results. It 
may also allow unauthorized persons to use the software or 
may cause damage to the local computing environment. 
Moreover, such modifications of the computer program may 
result in proprietary information being sent to unauthorized 
third parties. 

SUMMARY OF THE INVENTION 
In general, in one aspect, the invention features a method 
of validating execution of a software program. The method 
includes executing the software program on a computer, 
sending information from the computer to a smart card 
during execution of the software program, verifying in the 
smart card information received from the computer, and 
storing a signal in the smart card indicative of whether 
execution of the software program is certified as valid. 

In another aspect, the method of validating execution of 
a software program includes executing the software program 
on a computer, verifying in a smart card information 
received from the computer during execution of the software 
program, and generating a signal in the smart card indicative 
of whether execution of the software program is certified as 
valid. 

In yet a further aspect, the invention features a smart card 
for use in connection with execution of a software program 
by a computer. The smart card includes communication 
circuitry for receiving information from a location external 
to the smart card and for transmitting information from the 
smart card to the external location. The smart card further 
includes a memory which stores data and a smart card 
program. In addition, the smart card includes a microcon- 
troller configured by the smart card program to verify 
information received from the computer during execution of 
the software program and to cause a signal to be stored in the 
memory. The signal is indicative of whether execution of the 
software program is certified as valid based on results of 
verifying the received information. 

The invention also includes a software package including 
a computer readable medium, which stores a software pro- 
gram for execution by a computer, and a smart card, such as 
the smart card described above and discussed in greater 
detail below. 
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Various implementations of the invention include one or 
more of the following features. Different types of informa- 
tion can be sent to the smart card. The information can 
include, for example, an identifier indicative of a point in the 

5 software program at which the information was sent to the 
smart card, information indicative of the current state of the 
software program, or the current value of a variable used in 
the software program. The smart card can perform one or 
more verification tests in response to the information 
received from the computer. For example, the smart card can 
check whether the identifier is correct, whether the current 
value of the variable is accurate, or whether the current value 
of the variable falls within a prescribed range. The infor- 
mation sent by the computer can also identify memory 
addresses in the computer in which specified data is stored, 
and the smart card can verify whether the memory addresses 
are permissible memory locations for the specified data. 

One or more control values can be sent from the smart 
card to the computer in response to verifying the information 

2Q received from the computer. A control value can be used to 
determine when subsequent information will be sent from 
the computer to the smart card during execution of the 
software program. The smart card can determine whether the 
software program responds correctly to the one or more 

25 control values. The frequency with which the computer 
sends information to the smart card can depend upon the 
control values. The smart card can also verify that the order 
in which information is received from the computer is 
correct. 

30 In various implementations, the smart card can determine 
whether the frequency with which routines in the software 
program are called is within acceptable ranges. Similarly, 
the smart card can determine whether a duration of time 
between successive calls to the smart card by the computer 

35 during execution of the software program is within accept- 
able ranges. 

The smart card can store or generate a signal indicating 
that execution of the software program is certified as valid 
or indicating that the software program was not altered in an 

40 unauthorized manner prior to or during its execution. The 
signal can be stored or generated after completion of the 
software program. In certain implementations, such a signal 
is stored only if all of the verification tests are satisfied. The 
signal indicative of whether execution of the software pro- 

45 gram is certified as valid can be retrieved from the smart 
card. Additionally, the microcontroller can be configured to 
cause a signal indicative of whether execution of the soft- 
ware program is certified as valid to be generated in response 
to a query generated externally to the smart card. 

50 The microcontroller in the smart card can be suitably 
configured to perform the various functions so as to provide, 
in response to the proper execution of the program by the 
computer, a signal which indicates that execution of the 
software program is certified as valid or which indicates that 

55 the software program was not altered in an unauthorized 
manner prior to or during execution of the software program. 

In an additional aspect, the invention includes a method of 
tracking the amount of usage of a software program 
executed by a computer. The method includes executing the 

60 software program on a computer, sending information from 
the computer to a smart card during execution of the 
software program, and storing information in the smart card 
indicative of the number of times the software program has 
been executed. The smart card can also store information 

65 indicative of the frequency with which various software 
routines were called during execution of the software pro- 
gram. 
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In various implementations, the invention provides one or 
more of the following advantages. The invention makes it 
easier to detect whether any unauthorized modifications to 
or tampering of the software program being executed by the 
computer has occurred. The invention can also provide a 
technique for validating and certifying the accuracy of 
results obtained by the software program. Such detection 
can be performed in a relatively low cost and secure manner. 

In some implementations, the smart card can be used to 
vary the extent of its probe of the computer program in 
response to information previously received from the com- 
puter during execution of the program. Thus, the smart card 
can tailor the probe and subsequent validation tests to 
provide a tamper resistant, yet efficient, technique for 
executing a computer program. 

The invention can also provide a technique for tracking 
the amount of use of a particular computer program. This 
tracking or metering can be used, for example, to charge 
consumers for their usage of the computer program on a 
per-use basis. 

Additional features and advantages will be readily appar- 
ent from the following detailed description, accompanying 
drawings and claims. 

BRIEF DESCRIPTION OF THE DRAWINGS 

FIG. 1 is an exemplary system in which the invention can 
be practiced. 

FIG, 2 is a flow chart illustrating a method according to 
one implementation of the invention. 

FIG. 3 is a flow chart illustrating a method according to 
another implementation of the invention. 

FIGS. 4A-4B are a flow chart illustrating a method 
according to a further implementation of the invention. 

FIG. 5 shows an exemplary computer program whose 
execution can be certified by a smart card according to the 
invention. 

DESCRIPTION OF THE PREFERRED 
EMBODIMENTS 

FIG. 1 shows an exemplary system which includes a 
smart card 2. Smart cards, also known as microprocessor 
cards or chip-cards, are plastic cards approximately the size 
of a credit card embedded with an integrated circuit (IC) 
chip. The chip stores information while protecting it from 
unauthorized access. As shown in FIG. 1, the smart card 2 
includes a microcontroller 3. Software which controls the 
operations of the smart card 2 is stored in program memory 
4 such as nonvolatile read-only memory (ROM). The micro- 
controller 3 is appropriately configured by the program 
residing in the program memory 4 to perform the various 
smart card functions described below. Data is stored in a 
data memory 5. In the smart card 2 shown in FIG. 1, the data 
memory 5 includes an alterable nonvolatile memory, such as 
electrically erasable programmable read-only memory 
(EEPROM). The data memory 5 also includes random 
access memory (RAM). 

The system 1 further includes a terminal 10. The terminal 
10 includes a computer or other processor, such as a personal 
computer U, which can execute, for example, a software 
program installed in the computer 11. A smart card reader or 
reader/writer 12 is attached to and communicates with the 
computer 11. The terminal 10 also includes a device for a 
user to interact with the software program during its execu- 
tion. Such a device can include, for example, one or more of 
the following: a keyboard 13, a mouse 14, a joystick 15, an 
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interactive display screen 16, or other devices which allow 
a person using the program to provide appropriate input data 
or input signals to the computer 11. 
The smart card 2 also has a device for communicating 6 

5 with the smart card reader or reader/writer 12. In certain 
implementations, the device for communicating 6 is elec- 
trical circuitry which requires physical contact with pins in 
the smart card reader/writer 12. Alternatively, electrical 
circuitry on the smart card 2 can use inductive coupling, 

10 capacitive coupling or radio signals to communicate with the 
reader/writer 12. Communication may be performed by a 
local area or wide area network, for example, by way of the 
Internet or by a satellite communication link. 
The smart card 2 is issued by a particular vendor and is 

15 intended to be used in conjunction with a computer software 
program from the particular vendor. In one exemplary 
situation, the smart card 2 would be purchased as part of a 
software package including computer software stored on a 
computer-readable medium, such as a magnetic diskette. 

20 The computer-readable medium can be inserted into a drive 
19 in the computer 11 which is capable of reading and 
executing the software residing on the computer-readable 
medium. In other situations, the software program can be 
permanently stored in computer memory, such as read-only - 

25 memory (ROM). In still other situations, the smart card 
reader or reader/writer 12 is at a different location from the 
computer 11 and communicates with the computer 11 by a 
local area or wide area network, for example, by the Internet, 
satellite communication links or another suitable communi- 

30 cation means. 

In general, when a person wishes to use the software 
program on the computer, the smart card must be inserted in 
the reader/writer 12. The computer 11 then provides infor- 
mation or other data to the smart card 2 at selected points 

35 during execution of the software program. In certain 
implementations, the computer 11 also receives information, 
data or instructions from the smart card 2. The information, 
data or instructions generated by the smart card 2 can take 
various forms, including, for example, control values. Based 

40 upon the information or data provided to the smart card 2, 
the smart card can determine whether anyone has improp- 
erly altered or tampered with the program being executed by 
the computer 11. The smart card 2 can thus determine the 
validity of the results generated by the program and can 

45 certify the results as valid. 

FIGS. 2-3, 4A and 4B are flow charts showing various 
implementations of a method of validating the execution of 
a particular software program according to the invention. As 
shown by 100 in FIG. 2, the computer 11 begins to execute 

50 the particular software program. Execution of the program 
can begin, for example, when the computer 11 is powered 
up, when the user strikes a key on the keyboard 13, or when 
some other triggering signal is received by the computer 11. 
As indicated by 102, the software program instructs the 

55 computer to send certain information to the smart card 2 at 
a specified point during the program's execution. This 
information can include, for example, an identifier indicat- 
ing the point or line in the program which is executing the 
contact to the smart card as well as information regarding the 

60 current state of the program. The information regarding the 
current state of the program can include, for example, the 
present value of a particular variable used in the program. 
This information is sent to the smart card 2 which verifies 
the received information, for example, as accurate or within 

65 a prescribed range, as indicated by 104. The computer 
completes execution of the program, as indicated by 106. If 
the information received by the smart card 2 is verified, then 
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the smart card 2 certifies, for example, that the executed If the one or more verification tests performed by the 

program was not tampered with or altered, as indicated by smart card 2 are satisfied, then the smart card 2 certifies, for 

108. example, that the executed program was not tampered with 

In certain implementations, the certification would be or altered, as indicated by 118. If, on the other hand, any 
provided by the smart card 2 only in response to a query 5 verification test is not satisfied, then the smart card 2 is 
from another party, such as the vendor of the software, programmed to generate and send a signal to the computer 
having access to the certification results stored in the smart instructing the computer U to interrupt and terminate execu- 
card 2. For example, a separate program, not available to the tion of the software program. Moreover, the smart card 2 
purchaser of the software package, can be required to access will not certify that the program executed by the computer 
the validation results in the smart card 2. Thus, validation 1Q 11 was not tampered with or altered, 
and certification data and programs should be stored in a fjgS. 4A and 4B are a flow chart showing yet a further 
secure manner on the smart card 2. In some applications, this implementation of the invention. As shown by 130, the 
may involve the use of special passwords, as well as known computer 11 begins to execute the particular software pro- 
data encryption techniques. gfam ^ software program the computer u t0 

FIG. 3 is a flow chart of another implementation of a verify that the proper smart card is inserted in the smart card 
method of validating the proper -execution of a particular rea der/writer 12, as indicated by 132. In one 
^software program according to the invention. As shown by implementatioD) for exam te lhe smart card 2 can include a 
110, the computer 11 begins to execute the particular soft- ud ^ ^ M ^ daU m 5 which {s ^ 
ware program. As indicated by 112, the software program .7. , n , . • j « . , 
instructs the computer to send certain information to the !^ he 11 10 venf y lhe "*enUty of the smart card 
smart card 2 at a specified point during the program's 20 2- Assuring the proper smart card is inserted m the reader/ 
execution. This information can include, for example, an wnter U > \ [ ^ computer 11 sends certain information to the 
identifier indicating the point or line in the program which smart card 2 at a specified point during the program's 
is executing the contact to the smart card as well as infer- execution, as indicated by 134. Again, this information can 
mation regarding the current state of the program. The include, for example, an identifier indicating the point or line 
information regarding the state of the program can include, 25 m tnc program which is executing the call to the smart card 
for example, the value of specified variables used in the as well as information regarding the current state of the 
program being executed by the computer 11. The informa- program. The information regarding the current state of the 
tion sent by the computer 11 to the smart card 2 can also program can include, for example, the values of one or more 
include a signal indicating whether the computer program specified program variables as well as a signal indicating 
has been completed. In response to the information sent by 3 q whether execution of the software program has been com- 
the computer 11, the smart card 2 verifies the information pleted. In various implementations, the information regard- 
received from the computer 11, as indicated by 114. Various ing the state of the program can also identify the memory 
types of verifications can be performed, including checking addresses in which specified data is stored in the computer 
whether received values are accurate or within expected 11. 

ranges. The microcontroller 3 in the smart card 2 can also be 35 As indicated by 136, in response to the information 

configured to check whether the computer 11 sent informa- received by the smart card 2, the smart card 2 verifies 

tion to the smart card 2 at the appropriate points or fines whether the received values of program variables are within 

during the computer's execution of the program. acceptable ranges of expected values. If the received values 

The smart card 2 determines whether execution of the are not verified, then, as indicated by 140, the smart card 

program by the computer 2 has been completed, as indicated 40 determines whether the computer 11 has completed execu- 

by 116. If the computer 2 has completed its execution of the tion of the software program. If the computer 11 has not 

program, and the verification test or tests performed in 114 completed execution of the program, then the smart card 

were satisfied, then the smart card 2 certifies, for example, generates a signal which it sends to the computer 11 instruct - 

that the executed program was not tampered with or altered, ing the computer 11 to interrupt and terminate the program, 

as indicated by 118. 45 as indicated by 142. On the other hand, if the computer 11 

Returning to 116, if the computer 2 has not completed its has completed executing the program, then, as indicated by 

execution of the program, the smart card 2 returns one or 144, the smart card 2 stores a retrievable data signal or 

more control values to the computer 11, as indicated by 120. electronic flag in its memory 5 indicating that the results of 

In some implementations, for example, the control values the executed program are not certified as true, accurate or 

are used by the software program being executed in the 50 otherwise reliable. 

computer 11 to determine when the computer 11 should next If, in 136, the smart card 2 verifies that the received values 

send information to the smart card 2. The computer 11 are within acceptable ranges, then, as indicated by 146, the 

continues to execute the program, as indicated by 122. At the smart card 2 determines whether the received information 

appropriate point during the continued execution of the represents the first call by the computer 11 to the smart card 

program, the computer 11 again sends information to the 55 2. If this present call is the first call to the smart card 2, then 

smart card 2 (112). The additional information can also the smart card determines whether execution of the software 

include an identifier indicating the point or line in the program by the computer 11 is completed, as indicated by 

program which is executing the contact to the smart card 2 148. The determination of whether execution of the program 

as well as information regarding the current state of the is completed can be based, for example, on the signal sent 

program. The additional information can be the same or 60 by the computer 11 in 134. If execution of the program by 

different from the information previously sent to the smart the computer 11 is completed, then, as indicated by 162, the 

card 2 depending on the details of the software program smart card 2 stores a retrievable data signal or flag in its 

being executed by the computer 11 and any control values memory 5 indicating that the results of the executed program 

that may previously have been returned by the smart card 2. are certified as true, accurate or otherwise reliable. If execu- 

The smart card 2 verifies the received information (116). 65 tion of the program by the computer 11 is not completed, 

This cycle continues until execution of the program by the then the smart card 2 returns one or more control values to 

computer 11 is completed. the computer U, as indicated by 164. Again, in certain 
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implementations, the control values can instruct the com- In FIG. 5, MONITOR is a control variable whose value 

puter at what subsequent point or line in the program the can be changed by the smart card 2 at certain points during 

computer should next send information to the smart card 2. execution of the program. CONTACT_SMART_CARD 

The computer 11 continues to execute the program, as instructs the computer 11 to generate a call to the smart card 

indicated by 166. At the appropriate point during the con- 5 2 and to send it specific information. The first argument of 

tinued execution of the program, the computer 11 again tne ca u CONTACT_SMART-CARD identifies to the smart 

sends additional information to the smart card 2, as indicated card 2 which call it is receiving. In this example, the 
by 134. 

corresponding line number of the program which generates 

Returning to 146, if the smart card 2 determines that the m e ca n t0 smar t car( j ^ used, 

present call to the smart card is not the first call to the smart 10 In ^ j of ^ ^ y ^ [Mc M0N1TO R 

card during the present execution of the program then, in fa _ ^ {q ^ q , n ^ tfae tfae 

vanous implementations, the smart card 2 can perform one te / u t0 read or retrieve the va i ue of a variable x 

or more of the following additional . verification checks. As . „. , m * m ^ nr T „ i- „ -> tU * ^^^.t^ n 

. i * -r u .u .l. fr° m computer memory. In line 3, the computer 11 is 

indicated by 150, the smart card 2 can verify whether the . . t , f ... ' . , c v . r . 

" . Y- , ii t_ i_ i . ,i ^ . . instructed to send the current value of X to the smart card, 

order in which calls have been made to the smart . card i is 15 In ^ ^ Qf tfae ^ first a t ifl ^ ^ 

correct. The smart card 2 can also verify whether the to ^ smart ^ 2 ^ ^ information - t fe 

software program executed by the computer 11 responds feceivi fa from lme 3 Qf ^ 

correctly to the control values generated by the smart card, , . , r , , • ,™ « • 

as indicated by 152. In addition, the smart card 2 can verify Line 4 ° f thc P r0 S ram shown « ^* 5 U 1DStructs ' hc 

whether the frequency with which alternative routines in the M computer 11 to perform the next two lines of the program for 

software program are called is within acceptable ranges, as * e variable I, where I takes on each of the values one 

indicated by 154. This feature can be useful, for example, th ™S h successively. In line 5, if the current value of the 

when the execution history of the software program on the variable 1 minus the c ™. value °J MONITOR equals 

computer 11 is determined by a random number such as in zero > then lhe cornet 11 is instructed to make another call 

various software programs in the game industry. 25 t0 smart 2 : and t0 ™* the ^ J? f . 1 !? th ? 

Furthermore, as indicated by 156, the smart card 2 can verify s ™ rt card - In the floated example, the first call in line 5 

whether the memory addresses of particular data values or of the program would occur when I equals two. In response, 

computer instructions are correct or, alternatively, whether ^he smart card 2 returns a value for the control variable 

the memory addresses are permissible memory locations for MONITOR which can be the same or different from the 

the particular data. The smart card 2 can also verify whether 30 ^ value of the vanable MONITOR. For purposes of 

the elapsed time between calls to the smart card 2 is within ^lustration, it wiH be assumed that the smart card 2 returns 

an expected range of values given the input data, as indi- a value of eight for the variable MONITOR in response to 

catedbylSS. the first caU in line 5. 

Trie smart card 2 determines whether each of the addi- In line 6 of the program shown in FIG. 5, a new value for 

tional verification tests performed in 150 through 158 is 35 the variable X is calculated and set equal to the previous 

satisfied, as indicated by 160. If any of the verification tests value of X plus the current value of the variable I. The 

is not satisfied, then the smart card program returns to 140. program will continue to increment the value of I and to 

The smart card 2 either generates a signal instructing the calculate corresponding new values of X. No additional calls 

computer 11 to interrupt and terminate the program being will be made to the smart card 2 until the variable I equals 

executed by the computer 11 (142), or, if the program 40 eight. When I is set to eight in line 4 of the program, the 

running on the computer 11 has already been completed, the computer 11 makes another call to the smart card 2 in hne 

smart card 2 stores a retrievable data signal or flag in its * of the program. Assuming, for example, that the smart card 

memory 5 indicating that the results of the executed program 2 does not modify the value of the control variable MONI- 

are not certified as true, accurate or otherwise reliable (144). TOR in response to this call, then the program will continue 

Returning to 160, if all the verification tests performed in 45 t0 increme " 1 the f v ^ uc °.f 1 * nd !° ca ^ late *c "tesP°^- 

150 through 158 are satisfied, then the program in the smart 1Q S new values of * ™* * e vah * of Y the viable I is set to 

card 2 returns to 148 by which the smart card 2 determines lcn > a a final value of the vanable X 15 obtamed 10 hne 6 

whether the program being executed by the computer 11 has ot the V vo &* m ■ 

been completed. As previously discussed, the determination In line 7 of the program shown in FIG. 5, the computer 11 
of whether execution of the computer program is completed 50 ^ instructed to make yet another call to the smart card 2 and 
can be based, for example, on the signal sent by the to send the smart card the current value of the variable X. In 
computer 11 in 134. Depending on whether the computer 11 response, the smart card 2 returns, for example, encrypted 
has completed executing the program, the smart card 2 either data representing a certification that execution of the pro- 
stores a retrievable data signal or flag in its memory 5 gram by the computer 11 was not improperly altered if 
indicating that the results of the executed program are 55 various verification tests by the smart card were satisfied, 
certified as true, accurate or otherwise reliable (162) or The verification tests which the smart card 2 can perform 
returns one or more control values to the computer 11 (164) include the various types of verification tests discussed 
to allow the computer 11 to continue execution of the above. For example, the smart card 2 would verify that the 
program. computer 11 executed calls to the smart card 2 in the proper 
FIG. 5 illustrates an exemplary software program that, 60 order. Similarly, the smart card 2 would verify that received 
according to one implementation of the invention, can be values of the variables X and I were correct. In addition, the 
executed by the computer 11 in conjunction with the smart smart card 2 can probe the computer program to determine 
card 2 to validate and certify any results generated by the whether it responds the way the smart card 2 expects it to 
computer 11. The software program of FIG. 5 is intended to respond based on the values of the control variable MONI- 
illustrate various features and advantages of the invention 55 TOR returned to the computer 11. 

and is exemplary only. It is not, however, intended to limit In line 8 of the computer program in FIG. 5, the program 

the scope of the invention. writes the encrypted certification data to memory. The 
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encrypted certification data can be retrieved and decrypted at program is not satisfied, sending a signal from the smart 

a later lime by a party holding the proper decryption key. card to cause terminating the execution of the software 

The computer program of FIG. 5 ends in line 10. program. 

In some implementations, the smart card 2 is configured 3. The method of claim 1 wherein verifying comprises 

by a program in the memory 4 to vary the values of the 5 checking whether the identifier is correct, 

control variable depending on the results of the verification 4. The method of claim 1 wherein the software program 

tests. For example, various verification tests can be designed is in a current state, and wherein sending information 

to indicate whether received values are reasonable given the comprises sending information indicative of the current state 

input values or whether the received values fall within of tDe software program. 

acceptable limits. The results of such tests may indicate to i° 5. The method of claim 4 wherein the software program 

the smart card 2 that a more careful probing of the execution comprises a variable having a current value, and wherein 

of the computer program is necessary before providing sending information comprises sending the current value of 

certification. In such circumstances, the smart card 2 would tne variable to the smart card. 

modify the control values to probe the execution of the 6 - The method of claim 5 wherein verifying comprises 

program more frequently. Thus, with respect to the program 15 checking whether the current value of the variable is accu- 

in FIG. 5, the smart card 2 would, for example, return values ratc - 

of the control variable such that each time line 5 of the The method of claim 5 wherein verifying comprises 

program was executed with the variable I equal to or greater checking whether the current value of the variable falls 

than two, the current value of I would be sent to the smart within a prescribed range. 

card 2. In general, it is desirable to limit the number of times 2 ° 8. The method of claim 1 wherein storing a signal 

the smart card 2 is called so as to maintain a fast execution comprises storing a signal indicating that the software 

time for the computer program. On the other hand, the more program was not altered in an unauthorized manner prior to 

frequently the computer program calls the smart card 2 and or during its execution. 

sends it information, the more reliable the certification will 9. A method of validating execution of a software program 

be. The frequency with which the computer program calls 25 comprising: 

the smart card 2 can be tailored to the particular require- executing the software program on a computer; 

ments of the application. sending a value for a specified variable from the computer 

To further increase the likelihood that unauthorized tam- to a smart card during execution of the software pro- 

pering or alteration of the computer program will be gram; 

detected, all information sent between the computer 11 and 30 verifying in the smart card that the value received from 

the smart card 2 can be encrypted according to known the computer is accurate or within an expected range; 

techniques. sending a control value from the smart card to the 

Additionally, in certain implementations, the microcon- computer in response to verifying the information 

troller 3 can be configured by a program in the smart card 35 received from the computer and indicative of whether 

memory 4 to keep track of the number of times the software the software program is valid or invalid; 

program is executed by the computer 11 or the frequency continuing execution of the software program if the 

with which various routines in the program are called based control value indicates that the software program is 

on information sent to the smart card 2 while the program is valid. 

being executed. Such data can be stored in the smart card 4Q jo. The method of claim 9 wherein the control value 

memory 5 and subsequently retrieved to-meter the usage of determines when subsequent information will be sent from 

the computer program. Such metering would allow the thc com p Ute r to the smart card during execution of the 

vendor of the software, for example, to charge consumers on software program. 

a per-use basis, rather than a flat fee for purchase of the u The method of claim 9 of validating execution of a 

software. 45 software program further comprising: 

Other implementations are contemplated within the scope terminating execution of the software program if the 

of the following claims. control value indicates the software program is invalid. 

What is claimed is: 12. The method of claim 1 further comprising sending 

1. A method of validating execution of a software program control values from the smart card to the computer in 
comprising: 50 response to verifying the information received from the 

executing the software program on a computer; computer, wherein the frequency with which the computer 

sending information from the computer to a smart card se nds information to the smart card depends upon the 

during execution of the control values, 

software program including sending an identifier indica- 13 ' ™ e meth ° d of 1 wherein sending information 

tive of a point in the 55 comprises sending information identifying memory 

. * addresses in the computer in which specified data is stored, 

software pro eram at which the information was sent to the ~ , c r, . . . ^ . 

v f 14. The method of claim 13 wherein verifying comprises 

mmart card* * 

* verifying whether the memory addresses are permissible 

verifying in the smart card that the information received mem ory locations for the specified data. 

from the computer satisfies a criteria indicative of the 60 15 melhod of claim x wherein ending information 

validity of the software program; and l0 me smarl card occurs m iiltiple times during execution of 

storing a signal in the smart card indicative of whether the software program in a particular order, and wherein 

execution of the software program is certified as valid. verifying comprises verifying that the order in which the 

2. The method of claim 1 of validating execution of a multiple occurrences takes place is correct. 

software program further comprising: 65 16. The method of claim 1 wherein the software program 

if the software program has not finished executing and if comprises a plurality of routines each of which routines is 

the criteria indicative of the validity of the software called for during execution of the software program, and 
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wherein verifying comprises determining whether a fre- 26. A smart card for use in connection with execution of 

quency with which each of the routines is called is within a software program by a computer, the smart card compris- 

acceptable ranges. ing: 

17. A method of validating execution of a software communication circuitry for receiving information from a 
program comprising: 5 location external to the smart card and for transmitting 

executing the software program on a computer; information from the smart card to the external loca- 

sendinc information from the computer to a smart card ' ,. . . , , , 

during execution of the software program; and racmor y wtu * ^ores data and a smart card program; and 

., . . . . „ , A . . . * a microcontroller configured by the smart card program to 

verifying in the smart card that a duration of time between ^ VCfify information rcccivcd from thc compulcr during 

successive calls to the smart card by the computer execution of the software program and to cause a signal 
during execution of the software program is within t0 5e slored in the memor y, wherein the signal is 
acceptable ranges; and indicative of whether execution of the software pro- 
sending a control value from the smart card to the gram is certified as valid based on results of verifying 
computer in response to verifying the information J5 the received information; 

received from the computer and indicative of whether wherein the information received from the computer 

the software program is valid or invalid; and comprises information identifying memory addresses 

continuing execution of the software program if the in the computer in which specified data is stored, and 

control value indicates that the software program is wherein the microcontroller is further configured to 

va j^ verify whether the memory addresses are permissible 

18. Thc method of claim 1 of validating execution of a 2 ° ™ff ,ocati °jf f ° r , th . 6 data - u . 

software program further comprising: , % l ™ e ^ <?* °[ cl " m Z 2 * ! where f "* jniHocon- 

r * r -c troller is configured to check whether a value of a vanable 

terminating execution of the software program if the received from the computer during execution of the software 

control value indicates the software program further. program is accurate. 

19. The method of claim 1 wherein verifying comprises 2 5 28. The smart card of claim 26 wherein the microcon- 
performing a plurality of verification tests in response to the troller is configured to check whether a value of a variable 
information received from the computer, and wherein stor- received from the computer during execution of the software 
ing a signal comprises storing a signal indicating that the program falls within a prescribed range. 

software program was not improperly altered during its 29. The smart card of claim 26 wherein the signal stored 

execution only if all of the verification tests are satisfied. 30 in the memory indicates that the software program was not 

20. The method of claim 1 further comprising retrieving altered in an unauthorized manner prior to or during execu- 
from the smart card the signal indicative of whether execu- tion of the software program. 

tion of the software program is certified as valid. 30. The smart card of claim 26 wherein the microcon- 

21. A method of validating execution of a software troller <s furthcr configured to send a control value to the 

program comprising: 35 c0 ?i ,u iS n • . 

. t - A 31. The smart card of claim 30 wherein the microcon- 

executing the software program on a computer; ^ con fl gwtd lo delermine whel her the software 

verifying in a smart card information received from the program responds correctly to the control value. 

computer during execution of the software program is 32 The smart card of claim 26 wherein the microcon- 
within an expected frequency; troller is configured to perform a plurality of verification 
generating a signal by the smart card indicative of 40 tests in response to the information received from the 
whether execution of the software program is certified computer, and wherein the microcontroller is further con- 
as valid based on the verifying step; and figured to cause a signal indicating that the software pro- 
sending control values indicating the validity or invalidity gram was not improperly altered during its execution to be 
of the software program from the smart card to the ^ ^*Jj> the memor y ^ lf a11 of the verification tests are 
computer in response to verifying the information 4 smafl card of daim 26 wherein the miciocon . 
received from the computer troller is further configured to cause a signal indicative of 

22. The method of claim 21 wherein the signal indicative whethef nation of the software program is certified as 
of whether execution of the software program is certified as valid tQ be generated ic reS ponse to a query generated 
valid is generated after completion of the software program. 5Q externally t0 the smart card 

23. The method of claim 21 of validating exacution of a 34 ^ smafl card of daim 26 wherein lhe microcon . 
software program further comprising: holler is further configured to cause information indicative 

continuing execution of the software program base on the of the num b er 0 f times the software program has been 

control value. executed to be stored in the memory. 

24. A method of validating execution of a software 55 35 smart card of claim 2 6 wherein the software 
program comprising: program comprises a plurality of routines, and wherein the 

executing the software program on a computer; microcontroller is further configured to cause information 

sending a control value from a smart card to the computer: indicative of the frequency with which each of the routines 

sending information from the software program to the was called during execution of the software program lo be 

computer in response to the control value; eo stored in the memory, 

verifying in the smart card that the information received 36. A smart card for use in connection with execution of 

from the computer during execution of the software a software program by a computer, the smart card compris- 

program is a correct response to the control value. ing: 

25. The method of claim 24 wherein the control value communication circuitry for receiving information from a 
determines when subsequent information will be sent from 65 location external to the smart card and for transmitting 
the computer to the smart card during execution of the information from the smart card to the external loca- 
software program. tion; 
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memory which stores data and a smart card program; and 
a microcontroller configured by the smart card program to 
verify information received from the computer during 
execution of the software program and to cause a signal 
to be stored in the memory, wherein the signal is 5 
indicative of whether execution of the software pro- 
gram is certified as valid based on results of verifying 
the received information; 
wherein the information received from the computer 
comprises a plurality of routines each of which routines 10 
is called by the software program during execution of 
the software program, and wherein the microcontroller 
is further configured to determine whether a frequency 
with which each of the routines was called is within 
acceptable ranges. 15 

37. A smart card for use in connection with execution of 
a software program by a computer, the smart card compris- 
ing: 

communication circuitry for receiving information from a 
location external to the smart card and for transmitting 20 
information from the smart card to the external loca- 
tion; 

memory which stores data and a smart card program; and 
a microcontroller configured by the smart card program to 25 
verify information received from the computer during 
execution of the software program and to cause a signal 
to be stored in the memory wherein the signal is 
indicative of whether execution of the software pro- 
gram is certified as valid based on results of verifying 3Q 
the received information; 
wherein the microcontroller is further configured to deter- 
mine whether a duration of time between successive 
calls to the smart card by the computer during execu- 
tion of the software program is within acceptable 35 
ranges. 

38. A software package for use on a computer system 
having 

a computer readable medium which stores a software 

program for execution by a computer and 40 
a smart card having 
communication circuitry for receiving information 
from a location external to the smart card and for 
transmitting information from the smart card to the 
external location, 45 
memory which stores data and a smart card program, 
and 

a microcontroller, the software package comprising 
logic to cause the smart card program to verify 
information received from the computer during 50 
execution of the software program and to cause a 
signal to be stored in the memory, wherein the signal 
is indicative of whether execution of the software 
program is certified as valid based on results of 
verifying the received information; 55 
wherein the information received from the computer 
comprises information identifying memory addresses 
in the computer in which specified data is stored, and 
wherein the microcontroller is further configured to 
verify whether the memory addresses are permissible 60 
memory locations for the specified data. 

39. The software package of claim 38 further comprising 
logic to cause the microcontroller to check whether a value 
of a variable received from the computer during execution of 
the software program is accurate. 65 

40. The software package of claim 39 whereiD the signal 
stored in the memory indicates that the software program 



was not altered in an unauthorized manner prior to or during 
execution of the software program. 

41. The software package of claim 38 further comprising 
logic to cause the microcontroller to check whether a value 
of a variable received from the computer during execution of 
the software program falls within a prescribed range. 

42. The software package of claim 38 further comprising 
logic to cause the microcontroller to send a control value to 
the computer. 

43. The software package of claim 42 further comprising 
logic to cause the microcontroller to determine whether the 
software program responds correctly to the control value. 

44. The software package of claim 38 wherein the infor- 
mation received from the computer comprises a plurality of 
routines each of which routines is called by the software 
program during execution of the software program, and 
further comprising logic to cause the microcontroller to 
determine whether a frequency with which each of the 
routines was called is within acceptable ranges. 

45. A software package for use on a computer system 
having 

a computer readable medium which stores a software 

program for execution by a computer, and 
a smart card having 
communication circuitry for receiving information 
from a location external to the smart card and for 
transmitting information from the smart card to the 
external location, 
memory which stores data and a smart card program, 
and 

a microcontroller, the software package comprising: 
logic to cause the microcontroller to verify information 
received from the computer during execution of the 
software program and to cause a signal to be stored in 
the memory, wherein the signal is indicative of whether 
execution of the software program is certified as valid 
based on results of verifying the received information; 
and 

logic to cause the microcontroller to determine whether a 
duration of time between successive calls to the smart 
card by the computer during execution of the software 
program is within acceptable ranges. 

46. The software package of claim 38 further comprising 
logic to cause the microcontroller to perform a plurality of 
verification tests in response to the information received 
from the computer, and logic to cause the microcontroller to 
cause a signal indicating that the software program was not 
improperly altered during its execution to be stored in the 
memory only if all of the verification tests are satisfied. 

47. The software package of claim 38 further comprising 
logic to cause the microcontroller to cause a signal indica- 
tive of whether execution of the software program is certi- 
fied as valid to be generated in response to a query generated 
externally to the smart card. 

48. The software package of claim 38 further comprising 
logic to cause the microcontroller to cause information 
indicative of the number of times the software program has 
been executed to be stored in the memory. 

49. The software package of claim 38 wherein the soft- 
ware program comprises a plurality of routines, and wherein 
the software package further comprises logic to cause the 
microcontroller to cause information indicative of the fre- 
quency with which each of the routines was called during 
execution of the software program to be stored in the 
memory. 
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